/*++ BUILD Version: 0001 // Increment this if a change has global effects Copyright (c) 1989 Microsoft Corporation Module Name: crypt.h Abstract: This module contains the public data structures and API definitions needed to utilize the encryption library Author: David Chalmers (Davidc) 21-October-1991 Revision History: Scott Field (SField) 09-October-2000 Add RNG and Memory encryption interfaces --*/ #ifndef _NTCRYPT_ #define _NTCRYPT_ #ifndef MIDL_PASS // Don't confuse MIDL #ifndef RPC_NO_WINDOWS_H // Don't let rpc.h include windows.h #define RPC_NO_WINDOWS_H #endif // RPC_NO_WINDOWS_H #include #endif // MIDL_PASS #ifdef __cplusplus extern "C" { #endif ///////////////////////////////////////////////////////////////////////// // // // Core encryption types // // // ///////////////////////////////////////////////////////////////////////// // begin_ntsubauth #define CLEAR_BLOCK_LENGTH 8 typedef struct _CLEAR_BLOCK { CHAR data[CLEAR_BLOCK_LENGTH]; } CLEAR_BLOCK; typedef CLEAR_BLOCK * PCLEAR_BLOCK; #define CYPHER_BLOCK_LENGTH 8 typedef struct _CYPHER_BLOCK { CHAR data[CYPHER_BLOCK_LENGTH]; } CYPHER_BLOCK; typedef CYPHER_BLOCK * PCYPHER_BLOCK; // end_ntsubauth #define BLOCK_KEY_LENGTH 7 typedef struct _BLOCK_KEY { CHAR data[BLOCK_KEY_LENGTH]; } BLOCK_KEY; typedef BLOCK_KEY * PBLOCK_KEY; ///////////////////////////////////////////////////////////////////////// // // // Arbitrary length data encryption types // // // ///////////////////////////////////////////////////////////////////////// typedef struct _CRYPT_BUFFER { ULONG Length; // Number of valid bytes in buffer ULONG MaximumLength; // Number of bytes pointed to by Buffer PVOID Buffer; } CRYPT_BUFFER; typedef CRYPT_BUFFER * PCRYPT_BUFFER; typedef CRYPT_BUFFER CLEAR_DATA; typedef CLEAR_DATA * PCLEAR_DATA; typedef CRYPT_BUFFER DATA_KEY; typedef DATA_KEY * PDATA_KEY; typedef CRYPT_BUFFER CYPHER_DATA; typedef CYPHER_DATA * PCYPHER_DATA; ///////////////////////////////////////////////////////////////////////// // // // Lan Manager data types // // // ///////////////////////////////////////////////////////////////////////// // // Define a LanManager compatible password // // A LanManager password is a null-terminated ansi string consisting of a // maximum of 14 characters (not including terminator) // typedef CHAR * PLM_PASSWORD; // // Define the result of the 'One Way Function' (OWF) on a LM password // #define LM_OWF_PASSWORD_LENGTH (CYPHER_BLOCK_LENGTH * 2) // begin_ntsubauth typedef struct _LM_OWF_PASSWORD { CYPHER_BLOCK data[2]; } LM_OWF_PASSWORD; typedef LM_OWF_PASSWORD * PLM_OWF_PASSWORD; // end_ntsubauth // // Define the challenge sent by the Lanman server during logon // #define LM_CHALLENGE_LENGTH CLEAR_BLOCK_LENGTH // begin_ntsubauth typedef CLEAR_BLOCK LM_CHALLENGE; typedef LM_CHALLENGE * PLM_CHALLENGE; // end_ntsubauth // // Define the response sent by redirector in response to challenge from server // #define LM_RESPONSE_LENGTH (CYPHER_BLOCK_LENGTH * 3) typedef struct _LM_RESPONSE { CYPHER_BLOCK data[3]; } LM_RESPONSE; typedef LM_RESPONSE * PLM_RESPONSE; // // Define the result of the reversible encryption of an OWF'ed password. // #define ENCRYPTED_LM_OWF_PASSWORD_LENGTH (CYPHER_BLOCK_LENGTH * 2) typedef struct _ENCRYPTED_LM_OWF_PASSWORD { CYPHER_BLOCK data[2]; } ENCRYPTED_LM_OWF_PASSWORD; typedef ENCRYPTED_LM_OWF_PASSWORD * PENCRYPTED_LM_OWF_PASSWORD; // // Define the session key maintained by the redirector and server // #define LM_SESSION_KEY_LENGTH LM_CHALLENGE_LENGTH typedef LM_CHALLENGE LM_SESSION_KEY; typedef LM_SESSION_KEY * PLM_SESSION_KEY; // // Define the index type used to encrypt OWF Passwords // typedef LONG CRYPT_INDEX; typedef CRYPT_INDEX * PCRYPT_INDEX; ///////////////////////////////////////////////////////////////////////// // // // 'NT' encryption types that are used to duplicate existing LM // // functionality with improved algorithms. // // // ///////////////////////////////////////////////////////////////////////// typedef UNICODE_STRING NT_PASSWORD; typedef NT_PASSWORD * PNT_PASSWORD; #define NT_OWF_PASSWORD_LENGTH LM_OWF_PASSWORD_LENGTH // begin_ntsubauth typedef LM_OWF_PASSWORD NT_OWF_PASSWORD; typedef NT_OWF_PASSWORD * PNT_OWF_PASSWORD; // end_ntsubauth #define NT_CHALLENGE_LENGTH LM_CHALLENGE_LENGTH // begin_ntsubauth typedef LM_CHALLENGE NT_CHALLENGE; typedef NT_CHALLENGE * PNT_CHALLENGE; // end_ntsubauth #define NT_RESPONSE_LENGTH LM_RESPONSE_LENGTH typedef LM_RESPONSE NT_RESPONSE; typedef NT_RESPONSE * PNT_RESPONSE; #define ENCRYPTED_NT_OWF_PASSWORD_LENGTH ENCRYPTED_LM_OWF_PASSWORD_LENGTH typedef ENCRYPTED_LM_OWF_PASSWORD ENCRYPTED_NT_OWF_PASSWORD; typedef ENCRYPTED_NT_OWF_PASSWORD * PENCRYPTED_NT_OWF_PASSWORD; #define NT_SESSION_KEY_LENGTH LM_SESSION_KEY_LENGTH typedef LM_SESSION_KEY NT_SESSION_KEY; typedef NT_SESSION_KEY * PNT_SESSION_KEY; ///////////////////////////////////////////////////////////////////////// // // // 'NT' encryption types for new functionality not present in LM // // // ///////////////////////////////////////////////////////////////////////// // // The user session key is similar to the LM and NT session key except it // is different for each user on the system. This allows it to be used // for secure user communication with a server. // // begin_ntsubauth #define USER_SESSION_KEY_LENGTH (CYPHER_BLOCK_LENGTH * 2) typedef struct _USER_SESSION_KEY { CYPHER_BLOCK data[2]; } USER_SESSION_KEY; typedef USER_SESSION_KEY * PUSER_SESSION_KEY; // end_ntsubauth //////////////////////////////////////////////////////////////////////////// // // // Encryption library API macros // // // // To conceal the purpose of these functions to someone dumping out the // // encryption dll they have been purposefully given unhelpful names. // // Each has an associated macro that should be used by system components // // to access these routines in a readable way. // // // //////////////////////////////////////////////////////////////////////////// #define RtlEncryptBlock SystemFunction001 #define RtlDecryptBlock SystemFunction002 #define RtlEncryptStdBlock SystemFunction003 #define RtlEncryptData SystemFunction004 #define RtlDecryptData SystemFunction005 #define RtlCalculateLmOwfPassword SystemFunction006 #define RtlCalculateNtOwfPassword SystemFunction007 #define RtlCalculateLmResponse SystemFunction008 #define RtlCalculateNtResponse SystemFunction009 #define RtlCalculateUserSessionKeyLm SystemFunction010 #define RtlCalculateUserSessionKeyNt SystemFunction011 #define RtlEncryptLmOwfPwdWithLmOwfPwd SystemFunction012 #define RtlDecryptLmOwfPwdWithLmOwfPwd SystemFunction013 #define RtlEncryptNtOwfPwdWithNtOwfPwd SystemFunction014 #define RtlDecryptNtOwfPwdWithNtOwfPwd SystemFunction015 #define RtlEncryptLmOwfPwdWithLmSesKey SystemFunction016 #define RtlDecryptLmOwfPwdWithLmSesKey SystemFunction017 #define RtlEncryptNtOwfPwdWithNtSesKey SystemFunction018 #define RtlDecryptNtOwfPwdWithNtSesKey SystemFunction019 #define RtlEncryptLmOwfPwdWithUserKey SystemFunction020 #define RtlDecryptLmOwfPwdWithUserKey SystemFunction021 #define RtlEncryptNtOwfPwdWithUserKey SystemFunction022 #define RtlDecryptNtOwfPwdWithUserKey SystemFunction023 #define RtlEncryptLmOwfPwdWithIndex SystemFunction024 #define RtlDecryptLmOwfPwdWithIndex SystemFunction025 #define RtlEncryptNtOwfPwdWithIndex SystemFunction026 #define RtlDecryptNtOwfPwdWithIndex SystemFunction027 #define RtlGetUserSessionKeyClient SystemFunction028 #define RtlGetUserSessionKeyServer SystemFunction029 #define RtlEqualLmOwfPassword SystemFunction030 #define RtlEqualNtOwfPassword SystemFunction031 #define RtlEncryptData2 SystemFunction032 #define RtlDecryptData2 SystemFunction033 #define RtlGetUserSessionKeyClientBinding SystemFunction034 #define RtlCheckSignatureInFile SystemFunction035 #define RtlGenRandom SystemFunction036 #define RtlEncryptMemory SystemFunction040 #define RtlDecryptMemory SystemFunction041 //////////////////////////////////////////////////////////////////////////// // // // Encryption library API function prototypes // // // //////////////////////////////////////////////////////////////////////////// // // Core block encryption functions // NTSTATUS RtlEncryptBlock( IN PCLEAR_BLOCK ClearBlock, IN PBLOCK_KEY BlockKey, OUT PCYPHER_BLOCK CypherBlock ); NTSTATUS RtlDecryptBlock( IN PCYPHER_BLOCK CypherBlock, IN PBLOCK_KEY BlockKey, OUT PCLEAR_BLOCK ClearBlock ); NTSTATUS RtlEncryptStdBlock( IN PBLOCK_KEY BlockKey, OUT PCYPHER_BLOCK CypherBlock ); // // Arbitrary length data encryption functions // NTSTATUS RtlEncryptData( IN PCLEAR_DATA ClearData, IN PDATA_KEY DataKey, OUT PCYPHER_DATA CypherData ); NTSTATUS RtlDecryptData( IN PCYPHER_DATA CypherData, IN PDATA_KEY DataKey, OUT PCLEAR_DATA ClearData ); // // Faster arbitrary length data encryption functions (using RC4) // NTSTATUS RtlEncryptData2( IN OUT PCRYPT_BUFFER pData, IN PDATA_KEY pKey ); NTSTATUS RtlDecryptData2( IN OUT PCRYPT_BUFFER pData, IN PDATA_KEY pKey ); // // Password hashing functions (One Way Function) // NTSTATUS RtlCalculateLmOwfPassword( IN PLM_PASSWORD LmPassword, OUT PLM_OWF_PASSWORD LmOwfPassword ); NTSTATUS RtlCalculateNtOwfPassword( IN PNT_PASSWORD NtPassword, OUT PNT_OWF_PASSWORD NtOwfPassword ); // // OWF password comparison functions // BOOLEAN RtlEqualLmOwfPassword( IN PLM_OWF_PASSWORD LmOwfPassword1, IN PLM_OWF_PASSWORD LmOwfPassword2 ); BOOLEAN RtlEqualNtOwfPassword( IN PNT_OWF_PASSWORD NtOwfPassword1, IN PNT_OWF_PASSWORD NtOwfPassword2 ); // // Functions for calculating response to server challenge // NTSTATUS RtlCalculateLmResponse( IN PLM_CHALLENGE LmChallenge, IN PLM_OWF_PASSWORD LmOwfPassword, OUT PLM_RESPONSE LmResponse ); NTSTATUS RtlCalculateNtResponse( IN PNT_CHALLENGE NtChallenge, IN PNT_OWF_PASSWORD NtOwfPassword, OUT PNT_RESPONSE NtResponse ); // // Functions for calculating User Session Key. // // // Calculate a User Session Key from LM data // NTSTATUS RtlCalculateUserSessionKeyLm( IN PLM_RESPONSE LmResponse, IN PLM_OWF_PASSWORD LmOwfPassword, OUT PUSER_SESSION_KEY UserSessionKey ); // // Calculate a User Session Key from NT data // NTSTATUS RtlCalculateUserSessionKeyNt( IN PNT_RESPONSE NtResponse, IN PNT_OWF_PASSWORD NtOwfPassword, OUT PUSER_SESSION_KEY UserSessionKey ); // // OwfPassword encryption functions // // // Encrypt OwfPassword using OwfPassword as the key // NTSTATUS RtlEncryptLmOwfPwdWithLmOwfPwd( IN PLM_OWF_PASSWORD DataLmOwfPassword, IN PLM_OWF_PASSWORD KeyLmOwfPassword, OUT PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword ); NTSTATUS RtlDecryptLmOwfPwdWithLmOwfPwd( IN PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword, IN PLM_OWF_PASSWORD KeyLmOwfPassword, OUT PLM_OWF_PASSWORD DataLmOwfPassword ); NTSTATUS RtlEncryptNtOwfPwdWithNtOwfPwd( IN PNT_OWF_PASSWORD DataNtOwfPassword, IN PNT_OWF_PASSWORD KeyNtOwfPassword, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword ); NTSTATUS RtlDecryptNtOwfPwdWithNtOwfPwd( IN PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword, IN PNT_OWF_PASSWORD KeyNtOwfPassword, OUT PNT_OWF_PASSWORD DataNtOwfPassword ); // // Encrypt OwfPassword using SessionKey as the key // NTSTATUS RtlEncryptLmOwfPwdWithLmSesKey( IN PLM_OWF_PASSWORD LmOwfPassword, IN PLM_SESSION_KEY LmSessionKey, OUT PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword ); NTSTATUS RtlDecryptLmOwfPwdWithLmSesKey( IN PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword, IN PLM_SESSION_KEY LmSessionKey, OUT PLM_OWF_PASSWORD LmOwfPassword ); NTSTATUS RtlEncryptNtOwfPwdWithNtSesKey( IN PNT_OWF_PASSWORD NtOwfPassword, IN PNT_SESSION_KEY NtSessionKey, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword ); NTSTATUS RtlDecryptNtOwfPwdWithNtSesKey( IN PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword, IN PNT_SESSION_KEY NtSessionKey, OUT PNT_OWF_PASSWORD NtOwfPassword ); // // Encrypt OwfPassword using UserSessionKey as the key // NTSTATUS RtlEncryptLmOwfPwdWithUserKey( IN PLM_OWF_PASSWORD LmOwfPassword, IN PUSER_SESSION_KEY UserSessionKey, OUT PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword ); NTSTATUS RtlDecryptLmOwfPwdWithUserKey( IN PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword, IN PUSER_SESSION_KEY UserSessionKey, OUT PLM_OWF_PASSWORD LmOwfPassword ); NTSTATUS RtlEncryptNtOwfPwdWithUserKey( IN PNT_OWF_PASSWORD NtOwfPassword, IN PUSER_SESSION_KEY UserSessionKey, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword ); NTSTATUS RtlDecryptNtOwfPwdWithUserKey( IN PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword, IN PUSER_SESSION_KEY UserSessionKey, OUT PNT_OWF_PASSWORD NtOwfPassword ); // // Encrypt OwfPassword using an index as the key // NTSTATUS RtlEncryptLmOwfPwdWithIndex( IN PLM_OWF_PASSWORD LmOwfPassword, IN PCRYPT_INDEX Index, OUT PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword ); NTSTATUS RtlDecryptLmOwfPwdWithIndex( IN PENCRYPTED_LM_OWF_PASSWORD EncryptedLmOwfPassword, IN PCRYPT_INDEX Index, OUT PLM_OWF_PASSWORD LmOwfPassword ); NTSTATUS RtlEncryptNtOwfPwdWithIndex( IN PNT_OWF_PASSWORD NtOwfPassword, IN PCRYPT_INDEX Index, OUT PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword ); NTSTATUS RtlDecryptNtOwfPwdWithIndex( IN PENCRYPTED_NT_OWF_PASSWORD EncryptedNtOwfPassword, IN PCRYPT_INDEX Index, OUT PNT_OWF_PASSWORD NtOwfPassword ); ULONG RtlCheckSignatureInFile( IN PWSTR File ); BOOLEAN RtlGenRandom( OUT PVOID RandomBuffer, IN ULONG RandomBufferLength ); // // The buffer passed into RtlEncryptMemory and RtlDecryptMemory // must be a multiple of this length. // #define RTL_ENCRYPT_MEMORY_SIZE 8 // // Allow Encrypt/Decrypt across process boundaries. // eg: encrypted buffer passed across LPC to another process which calls RtlDecryptMemory. // #define RTL_ENCRYPT_OPTION_CROSS_PROCESS 0x01 // // Allow Encrypt/Decrypt across callers with same LogonId. // eg: encrypted buffer passed across LPC to another process which calls RtlDecryptMemory whilst impersonating. // #define RTL_ENCRYPT_OPTION_SAME_LOGON 0x02 NTSTATUS RtlEncryptMemory( IN OUT PVOID Memory, IN ULONG MemoryLength, IN ULONG OptionFlags ); NTSTATUS RtlDecryptMemory( IN OUT PVOID Memory, IN ULONG MemoryLength, IN ULONG OptionFlags ); // // Get the user session key for an RPC connection // #ifndef MIDL_PASS // Don't confuse MIDL NTSTATUS RtlGetUserSessionKeyClient( IN PVOID RpcContextHandle, OUT PUSER_SESSION_KEY UserSessionKey ); NTSTATUS RtlGetUserSessionKeyClientBinding( IN PVOID RpcBindingHandle, OUT HANDLE *RedirHandle, OUT PUSER_SESSION_KEY UserSessionKey ); NTSTATUS RtlGetUserSessionKeyServer( IN PVOID RpcContextHandle OPTIONAL, OUT PUSER_SESSION_KEY UserSessionKey ); #endif // MIDL_PASS #ifdef __cplusplus } // extern "C" #endif #endif // _NTCRYPT_